In this video, Marc Menninger describes key roles and functions performed by IT security auditors. Discover which skills and certifications IT security auditors are expected to have. Learn how many years of experience and other requirements you'll need to qualify for this high-demand IT security job.
- [Instructor] IT security auditors play an important role in the world of IT security. They make sure the organization is securing what it needs to secure. To do that, they will review the status of all security controls in an organization and report on their findings. Because IT security auditors see all the security flaws in an organization, and people might want to influence how they report their findings, it's important that they have very high ethical standards and values. In addition to IT security auditor common job titles include, information security auditor, security compliance auditor, information systems auditor, information assurance auditor, and IT auditor.
IT security auditors must understand what the ideal security state is for a particular organization and be able to articulate how close or far the organization is to achieving that state. Therefore, IT security auditors need to have specialized skills and deep experience in IT security to be successful in their job. IT security auditors need to be able to interact with people at all levels of an organization, so they'll need to have strong interpersonal, oral, and written communication skills. An IT security auditor job isn't a good fit for someone who prefers to work alone.
Of course, IT security auditors must also have strong IT skills, such as a deep understanding of Windows, Unix, and Linux operating systems, as well as security technologies like firewalls, and intrusion detection and prevention protocols. In addition, because they must deliver detailed technical reports on a timely basis, IT security auditors need to be proficient in PowerPoint, Word, and Excel, and have experience with Vizio and MS project.
An IT security auditor is not an entry level position. You will apply your past experience in IT and IT security as you audit an organization to determine if security gaps exist. That's why job descriptions for IT security auditors will frequently require at least five to seven years of business audit experience with big four background preferred. That means auditing experience with accounting firms like Deloitte, PricewaterhouseCoopers, Ernst and Young, and KPMG will get an employers attention, but you can still get the job if you haven't worked at one of these companies.
You'll need to have a good working knowledge of regulatory or industry data security standards such as FFIEC, HIPPA, PCI, NIRK, SOX, NIST, EU Safe Harbor and GLBA. And you'll need experience implementing or auditing ISO 27001/27002, ITIL, or COBIT frameworks. Almost every auditor role will require a bachelor's degree in a related field. This means an IT field, such as a computer information systems degree.
Other technical degrees may also be accepted. Frequently desired certifications for IT security auditors include CISA, CISM, and CISSP. The IT security auditor job is excellent for security professionals who want to use their experience and their understanding of security frameworks to help organizations get more secure.
Marc closes with a few pieces of career advice specific to the world of information security, which will help you succeed in this dynamic and high-demand industry.
- IT security key concepts
- Understanding the job marketplace (government vs. healthcare, etc.)
- IT security success traits
- Career specializations
- IT security certifications
- Getting experience
- Marketing yourself